Big IT Firms Apply Talents to Fed Cybersecurity Research

By John K. Higgins
Apr 30, 2013 5:00 AM PT

Protecting Internet information has become a costly enterprise, with worldwide spending on security estimated at US$60 billion in 2012. That figure will grow to $86 billion by 2016, according to a Gartner study.

To help ensure that those investments are being spent wisely -- and to keep technology a step ahead of threats -- 11 major companies have joined a program designed to foster research on improving data security.

In recognition of the critical need to protect private sector intellectual property and other valuable business data from a growing number of cyberthreats, the companies have established partnerships with the
National Cybersecurity Center of Excellence (NCCoE), a public-private partnership hosted by the U.S. Commerce Department's National Institute of Standards and Technology (NIST). Company representatives and federal officials formally launched the program April 15.

The NCCoE will serve as a test bed where users and vendors can collaborate on new ideas and technologies prior to deployment, and thoroughly document and share each solution. Each of the companies pledged to contribute hardware and software components and share best practices and personnel with the center.

Cyberexperts from each company will work together at the center to come up with practical solutions to online threats. The structure of the program is designed to encourage the rapid adoption of comprehensive security templates and approaches that support automated and trustworthy online activities.

A Focus on Real World Threats

The Center was created last year with a budget of $10 million to operate the program, including development of the partnership initiative. Research will be conducted at a state-of-the-art computing facility near NIST's Maryland campus outside of Washington D.C. Funding for 2013 was increased to $20 million.

"NIST looks forward to working with these top private sector companies, and our state and federal partners, to help the Center jump-start its work to better protect our vital IT infrastructure and business information," said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher.

Program participants will focus on creating solutions that can be rapidly applied to actual situations. To equip businesses with practical ways to generate effective results, the center will follow a four-step process:
identify problems and define a project around relevant technical use cases in which needs are currently unmet;
assemble a team of cybersecurity experts from industry, government and academia;
build practical model solutions based on commercially available technology that are repeatable, scalable, and secure and that can be used with various products;
facilitate rapid, widespread deployment and use of the solutions.

"The Center will develop use cases that are based on existing cyberproblems and challenges. For example, the first use case is focused on health IT," Tiffany Jones, director of public sector programs at
Symantec, told the E-Commerce Times. Symantec is one of the 11 participants.

The healthcare case involves a hypothetical independent primary care physician using a mobile device to perform a variety of reoccurring activities such as sending an electronic prescription, messaging patient lab results, and viewing patient records.

"When a physician uses a mobile device to push clinical information to an electronic health record, it allows another physician to access the clinical information through a mobile device as well. Obviously the goal is to be able to successfully perform these activities in a secure way," Jones said.

The full gamut of cybersituations are within the scope of research at the center but will need to be addressed in some prioritized fashion. These would include sensitive credit and financial information, identity protection, infrastructure security and intrusion protection. Corporate resources, including personnel, will be obtained according to the requirements for each research project.

"We do not have a dedicated set of people assigned to the NCCoE. However, as each use case is established, we will identify the appropriate subject matter experts to work on the project," Jones said.

In a parallel development, NIST has conducted a variety of outreach efforts with the private sector to gather information for directing the agency's cyberresearch and standards setting program, with some of the input filtering back into the NCCoE program.

"We have been impressed by the response to our call for participation from the private sector, which has led to a robust pipeline of projects and use cases," Nate Lesser, deputy director of the
NCCoE, told the E-Commerce Times.

Companies Provide Input

"Our initial core partners were selected for the breadth of their IT and cybersecurity offerings, and their commitment to participate in a wide range of center activities," Lesser said.

The core partners include Symantec, Cisco Systems, HP, HyTrust, Intel, McAfee, Microsoft, RSA, Splunk, Vanguard Integrity Professionals and Venafi. In addition to the designated partners, other vendors and integrators can contribute to the NCCoE work by providing information and feedback to validate and improve solutions, and help customers implement the NCCoE solutions in real environments, NIST said.

"NCCoE will allow the public and private sectors to openly collaborate to develop solutions for the most pressing cybersecurity challenges, and mutually understand the various use cases and unique requirements of both sectors," said Hemma Prafullchandra, chief technology officer at HyTrust.

"It's fantastic that vendors are coming together to develop end-to-end solutions that have real world traction," she said.

In addition to encouraging government and private sector cooperation, the NCCoE may present a direct business opportunity for a private sector firm to actually manage the center.

NIST expects to issue a request for proposals sometime in the summer for an entity known as a Federally Funded Research and Development Center (FFRDC) to operate the NCCoE under a government contract. FFRDC's are utilized to meet a "special long-term research or development need which cannot be met as effectively by existing in-house or contractor resources," according to federal contract regulations. Private firms as well as universities or other organizations are eligible to become FFRDCs.

In an April 15 notice, NIST said the FFRDC will be required to provide research and engineering support; supply project management and guidance for "increasing the effectiveness and efficiency of cyber security applications;" and provide facility management. Companies and others interested in pursuing the contract have until July 22, 2013 to comment on the FFRDC proposal.

"Cyberthreats cut across networks, borders and sectors, and leaders in government and industry must work together to help protect the nation's critical infrastructure and information," said National Security Agency Director Gen. Keith Alexander at the program launch event. "No one organization can do the job alone. NSA supports NIST's efforts to partner with industry to tackle cyberchallenges."

John K. Higgins is a career business writer, with broad experience for a major publisher in a wide range of topics including energy, finance, environment and government policy. In his current freelance role, he reports mainly on government information technology issues for ECT News Network.